server: The owner of a securable object should have all the standard access rights.

Cygwin fork() fails in NtCreateSymbolicLinkObject(). We successfully create the link but then fail to alloc_handle() with STATUS_ACCESS_DENIED, because the requested access rights exceed what the owner is allowed. Allow it more. Thank you to Dmitry Timoshkov for debugging the security details from alloc_handle() onwards. Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=48891Signed-off-by: Damjan Jovanovic <damjan.jov@gmail.com> Signed-off-by: Alexandre Julliard <julliard@winehq.org>

server: The owner of a securable object should have all the standard access rights.
31e984a0 · Damjan Jovanovic · Alexandre Julliard · 2e4bfa64 · 31e984a0 · 31e984a0
Commit 31e984a0 authored Jun 06, 2021 by Damjan Jovanovic Committed by Alexandre Julliard Jun 08, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 3 deletions

security.c dlls/advapi32/tests/security.c +17 -2

token.c server/token.c +1 -1

No files found.
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -1076,10 +1076,25 @@ todo_wine {
    SetLastError(0xdeadbeef);
    rc = AccessCheck(sd, token, DELETE, &mapping, &priv_set, &priv_set_len, &granted, &status);
    ok(rc, "AccessCheck error %d\n", GetLastError());
-todo_wine {
    ok(status == 1, "expected 1, got %d\n", status);
    ok(granted == DELETE, "expected DELETE, got %#x\n", granted);
-}
+    granted = 0xdeadbeef;
+    status = 0xdeadbeef;
+    SetLastError(0xdeadbeef);
+    rc = AccessCheck(sd, token, WRITE_OWNER, &mapping, &priv_set, &priv_set_len, &granted, &status);
+    ok(rc, "AccessCheck error %d\n", GetLastError());
+    ok(status == 1, "expected 1, got %d\n", status);
+    ok(granted == WRITE_OWNER, "expected WRITE_OWNER, got %#x\n", granted);
+    granted = 0xdeadbeef;
+    status = 0xdeadbeef;
+    SetLastError(0xdeadbeef);
+    rc = AccessCheck(sd, token, SYNCHRONIZE, &mapping, &priv_set, &priv_set_len, &granted, &status);
+    ok(rc, "AccessCheck error %d\n", GetLastError());
+    ok(status == 1, "expected 1, got %d\n", status);
+    ok(granted == SYNCHRONIZE, "expected SYNCHRONIZE, got %#x\n", granted);
    granted = 0xdeadbeef;
    status = 0xdeadbeef;
    SetLastError(0xdeadbeef);

--- a/server/token.c
+++ b/server/token.c
@@ -1113,7 +1113,7 @@ static unsigned int token_access_check( struct token *token,
     * determined here. */
    if (token_sid_present( token, owner, FALSE ))
    {
-        current_access |= (READ_CONTROL | WRITE_DAC);
+        current_access |= (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE);
        if (desired_access == current_access)
        {
            *granted_access = current_access;